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Abstract 

We consider using trust information to improve the anonymity provided 
by onion-routing networks. In particular, we introduce a model of trust in 
network nodes and use it to design path-selection strategies that minimize 
the probability that the adversary can successfully control the entrance to 
and exit from the network. This minimizes the chance that the adversary 
can observe and correlate patterns in the data flowing over the path and 
thereby deanonymize the user. We first describe the general case in which 
onion routers can be assigned arbitrary levels of trust. Selecting a strategy 
can be formulated in a straightforward way as a linear program, but it is 
exponential in size. We thus analyze a natural simplification of path selection 
for this case. More importantly, however, when choosing routes in practice, 
only a very coarse assessment of trust in specific onion routers is likely to 
be feasible. Therefore, we focus next on the special case in which there are 
only two trust levels. For this more practical case we identify three optimal 
route-selection strategies such that at least one is optimal, depending on the 
trust levels of the two classes, their size, and the reach of the adversary. 
This can yield practical input into routing decisions. We set out the relevant 
parameters and choices for making such decisions. 
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1. Introduction 

When designing or analyzing anonymous communication 
networks, researchers generally assume that all nodes routing 
traffic are equally trusted. But this typically is incorrect. There 
is much information available to those selecting routes that can 
affect trust: information about who runs some components of 
the infrastructure, what computing platforms are used, how 
long and how reliably some components have been running, 
etc. And if routing designs were to begin taking trust into 
account, then even more extensive and diverse bases for trust 
might be available. 

Onion routing is a type of anonymous communication that 
creates cryptographic circuits along an unpredictable route 
through a network of nodes called onion routers and passes 
traffic bidirectionally along those circuits with minimal latency 
[1], [2], [3]. An adversary observing an entry node and an 
exit node of an onion-routing network through which one is, 
e.g., browsing the web can easily link the two ends of the 
connection and correlate source to destination. This has been 
an acknowledged feature of the design since its inception [4]. 
Correlation is easily done with extremely high confidence by 
passive timing, that is, simply by observing the timing pattern 
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of data entering the network and of data exiting the network 
and matching incoming and outgoing patterns. Correlation 
can also be done with active timing, where the adversary 
inserts unique patterns in incoming data and observes where 
they appear among outgoing data. It is this vulnerability of 
onion routing circuits to hostile pairs of entry and exit nodes 
that is our focus. There are many documented attacks that 
have some affect on onion routing — correlation, congestion, 
intersection, destination fingerprinting, latency, etc. None of 
the others have the efficiency or certainty that correlation does 
when an attacker owns so little of the network (i.e., just one 
entry node and one exit node) and observes so little traffic. 

Correlation is, at least in this way, the most significant 
unaddressed problem for onion routing and one that can 
likely be improved with trust knowledge. (Correlation could be 
countered by mixing, padding, or other approaches; however, 
to date no proposed countermeasure has had both low enough 
overhead and high enough expectation of success against 
realistic attackers to be pursued in practice.) This introduces 
many questions, such as whether using more trusted nodes 
helps profile or identify clients and what to do about that, 
how to model diverse trust assumptions, etc. But even ignoring 
these, it is not obvious how to take advantage of trust as a 
criterion in route selection. In particular, using trusted nodes 
more often has the disadvantage of simultaneously providing 
a small set of nodes for the adversary attempt to monitor. 
This paper is specifically focused on whether there is a way 
to use trust to reduce the probability of a circuit compromise 
by endpoints. 

Trust has many meanings and applications in computer 
security [5], [6], [7], [8], [9], [10], [11], [12]. Much of the 
literature is concerned in one way or another with propagation 
or transfer of trust from where it is to where it needs to be. 
Our concern is not with the transfer of trust information but 
with what it means in the context of onion routing and how to 
make use of it. We consider how trust associated with network 
nodes or links might be used to protect (or reveal) information 
that would undermine the anonymity of communicants. 

Tor [13] is the current widely-deployed and used public 
onion-routing network, with an estimated quarter-million con- 
current users and a few thousand network nodes. It is thus 
useful to consider trust issues that arise for this deployed 
network. For example, a correlating adversary could try to 
compromise nodes in the network. Because Tor nodes are run 



by volunteers, however, an even easier attack is to simply set 
up hostile nodes and use those to attack traffic on the network. 
We have already noted that correlation attacks are strong and 
low cost. This shows us that they are also easy to deploy in 
practice. 

One way Tor reduces the threat of linking exit activity to 
sources is by use of entry guards, a small number of nodes that 
a single client uses persistently to connect to the Tor network. 
If a client has chosen guard nodes that are not compromised, 
it can never be linked by correlation to its activity by a pair 
of compromised entry-exit nodes. When entry guards were 
introduced [14], there was a brief discussion of the relative 
merits of choosing guards randomly versus based on trust 
or other features of the guard nodes. So far, no one has 
analyzed the implications of choosing nodes based on trust. 
Entry guards are currently chosen randomly from the set of 
Tor nodes (subject to some performance and other criteria). 
Abusing entry-guard selection criteria can increase the chances 
of a node being chosen as an entry guard, especially if they 
are based on reliability, performance, etc. rather than based 
on any sort of trust. Many of the threats initially observed 
about this ([14], [15]) are not feasible in the current Tor 
network. Statistically, however, the percentage of all circuits 
compromised by hostile entry-exit pairs is not reduced by the 
use of randomly chosen entry guards, nor is the probability 
that any given client will have compromised guards; it only 
affects the distribution of compromised circuits over the client 
space. If one were able to choose not just guards but whole 
routes from a more trusted set of nodes, then one’s threat of 
circuit compromise might be reduced. We hope through our 
analysis to show how best to add this protection to Tor and 
similar systems. 

In this paper we first set out a simple model that should 
facilitate reasoning about using trust in routing. We define trust 
simply to be the probability that an attempt by the adversary 
to control a node fails. We include a roving adversary that 
can attempt to compromise a certain number of nodes. Route 
selection is modeled as a three-stage game in which the user 
first picks a distribution over paths, then the adversary chooses 
a set of nodes to attempt to compromise, and finally the user 
samples a path from his distribution. While we expect this 
model to bear further fruit, we use it in this paper to show a 
number of results of both theoretical and practical interest. 

We consider various strategies for choosing first and last 
nodes in the network so as to minimize the maximum probabil- 
ity a correlating adversary has for linking source to destination. 
We first look at the general case, in which there is an arbitrary 
number of trust levels. We observe that a straightforward 
algorithm to calculate an optimal distribution runs in time 
exponential in the size of the adversary. We consider a 
natural simplification of looking at distributions on individual 
nodes rather than pairs of nodes and considering the product 
distribution as an approximation of the joint distribution on 
pairs. We find two optimal distributions over single nodes, but 
we then show that optimal distributions on pairs are arbitrarily 
better than products of those optimal distributions on single 


nodes. 

In practice, it is unlikely that one can realistically assign 
many different levels of trust, and so we next consider restrict- 
ing to the case where there are only two trust levels for nodes 
in the network. Here we find three distributions and prove that 
in every case one of them must be optimal. Lastly, we discuss 
determining in practice when one of the three distributions 
is optimal based on the values of the system variables: trust 
values, size of the trusted and untrusted sets, and the size of 
the adversary. 

2. An uncompromising model of node trust 

A user wants to use a network of onion routers for anony- 
mous communication. He trusts some onion routers more than 
others in the sense that he trusts that they are less likely to 
attempt to compromise his anonymity. How should he take 
this trust into account when he selects his paths? 

2.1. The model 


To make this question concrete, we need to make the notions 
of trust, anonymity, and an adversary precise. 

Let R be the set of routers, |i?| = n. Let there be an 
adversary that is trying to compromise the user’s anonymity. 
The adversary selects k routers in R that he will attempt to 
compromise and use for deanonymization. If a router is not 
selected, it cannot be used by the adversary in an attack. 

When an onion router i is selected, the adversary fails to 
compromise it with probability This represents the user’s 
trust in the router. It will be convenient to define Cj = 1—ti, the 
probability that the adversary does successfully compromise 
router i when he attempts to do so. 

A user selects a path for a circuit from some probability 
distribution. If the adversary has selected and successfully 
compromised the first and last nodes on the chosen path, the 
user has no anonymity. Otherwise, the user’s connection is 
anonymous. Therefore, to calculate anonymity, we need only 
look at the user’s distribution over entry-and-exit-node pairs. 

We would like to find the probability distribution over 
pairs of routers that minimizes the chance that both members 
of the pair are selected by the adversary and successfully 
compromised. More precisely, we want to find p G 
that is, a probability distribution p over pairs in R, that 
minimizes 


c{p) 


max 

KCR:\K\^k 


p{r, s)CrCs 


Lor a set S and j < |S'|, we use (^) to represent the collection 
of all subsets of S of size j. Also, for convenience, we write 
p{{r,s}) as p{r,s). 


2.2. The adversary 

Attackers of limited size have long been countenanced in 
the security and fault- tolerance literature. While caution might 



suggest designing against an adversary that can compromise 
the entire network as a worst case, usable results are often 
broken against such an adversary. And, especially for large 
diverse networks, it is typically unrealistic to assume that an 
adversary has such reach. System and protocol designs have 
been shown to provide a guarantee against various types of 
failure or compromise as long as no more than some fixed 
threshold of nodes is compromised at any time, e.g., Byzantine 
fault-tolerance. 

The particular partial-network adversary from which our 
work derives is the roving adversary of Ostrovsky and 
Yung [16]. They introduced and were motivated by the concept 
of proactive security, in which an adversary could compromise 
arbitrary optimal sets of nodes given his current information. 
The roving adversary can potentially compromise every node 
in the network, but it can compromise no more than a fixed 
maximum number of nodes at any one time. Proactive security 
is concerned with properties that are resilient to such attacks. 
This can be useful for secret sharing and other distributed ap- 
plications. The adversary model was applied to onion routing 
by Syverson et al. [4]. 

We alter the basic roving adversary model in two ways. 
First, to incorporate trust we add the idea that an adversary 
does not always succeed when attempting to compromise a 
node. Second, the adversary selects only one set to attack — 
there is no roving. It may be useful to bring roving back in 
for future work. Though likely of limited use for individual 
correlation attacks (given the typically short duration of onion- 
routing circuits), roving could allow the adversary to learn 
various communication and trust properties of the network and 
its users. 

The adversary is assumed to have prior knowledge of the 
distribution that is used to pick a route, and he uses this 
knowledge to pick the set of nodes that he will attempt to 
compromise. It is realistic in many settings to assume the 
adversary has such knowledge. For example, the probability 
distributions may be set in some software or common system 
parameters given to a wide group in which there is at least 
one compromised member. The adversary may also be able to 
infer trust information from outside knowledge about the user. 

2.3. Trust 

Trust is captured in our model with the probability ti that the 
adversary’s attempt to compromise a node fails. This notion 
accommodates several different means by which users in the 
real world might trust an onion router. 

The probability might represent the user’s estimate of how 
likely it is that the operator of a given node is trying to provide, 
rather than break, anonymity. It might represent the user’s faith 
in the security of a given node against outside attack. 

To arrive at such conclusions, the users must rely on some 
outside knowledge. This might include knowledge of the 
organizations or individuals who run nodes, both knowledge 
of their technical competence and the likelihood of themselves 
harboring ill intent. It also includes knowledge of computing 


platforms on which a network node is running, geopolitical 
information about the node, knowledge about the hosting fa- 
cility where a node might be housed or the service provider(s) 
for its access to the underlying communications network, etc. 

Admittedly, it may not be the case that one can realistically 
assign specific probabilities to each node in the network 
separately. It is for this reason that we consider in sections 5 
and 6 restriction to just two trust levels. Even if one cannot be 
certain of the probability of compromise to assign at one level 
or another, one may be in a position to know the divergence of 
those levels. This is particularly the case if one is considering 
nodes run by, e.g., security or law-enforcement agencies of 
friendly governments or their contractors vs. the rest of the 
nodes on the network. Alternatively one can imagine sets of 
nodes run by reputable human rights groups, NGOs, or human 
rights agencies of friendly governments. 

Unlike many other areas, network performance or reliability 
reputation are not good bases for trust for anonymous com- 
munication. That is because an adversary that is focused on 
learning as much as possible about communication patterns 
has incentive to run the highest performing, most reliable 
nodes in the network. Thus, many of the usual metrics do 
not apply. The relation however is subtle because failure to 
consider performance at all would always result in the optimal 
choice being a secure brick [17]. 

2.4. Anonymity 

We will consider a user to be anonymous unless the adver- 
sary has compromised the first and last routers on his path. 
This is motivated by the correlation attacks mentioned above. 
The model does not include some other methods the adversary 
can use, for example congestion attacks [18], [19], denial-of- 
service attacks [20], latency [21], or destination fingerprint- 
ing [22], [23]. It also does not take into account the total effect 
of an adversary’s actions on a user’s anonymity, such as the 
analysis performed in [24]. The attacks on which we focus 
are conceptually much simpler than these others, but more 
importantly, as noted in Section 1, none of these other attacks 
succeeds with as much certainty using as little resources as 
this one. Note that such entry-exit correlation attacks could 
also be done by the links from source to the entry onion 
router on the entry side and links from the exit onion router to 
the destination on the exit side (or by the destination itself). 
For example, an autonomous system or internet exchange on 
these links could participate in a correlation attack [25], [26]. 
We focus, however, on just the attack as it can be done by 
network nodes. Besides simplifying analysis, this is reasonable 
to model as a practical attack given the ease with which nodes 
can be added to the network. 

Using this model, the user’s selection of the pair constituting 
the first and last onion routers on his path is the only relevant 
factor in his anonymity. The user may make this selection 
using any probability distribution p over pairs of routers. 



2,5. Objective function 


3.2. Choosing a simple distribution 


We set as our objective function to find the distribution 
on pairs of routers that minimizes the probability of circuit 
compromise over all possible sets that the adversary could 
choose: 


min 

peA„(„_i)/2 


max 

K<ZR-.\K\=k 


X! p{r,s)crCs. 


This provides a worst-case guarantee, and if the user has 
a distribution with a low worst-case value, he is guaranteed 
anonymity with high probability regardless of the adversary’s 
actions. As a worst-case criterion, however, it may direct the 
user to protect against adversarial actions that are unlikely. 
Indeed, while the adversary’s goal is to find the subset K C R 
that maximizes his chance of compromise, it is easy to see that 
this problem in general is equivalent to the NP-hard problem 
CLIQUE. Therefore the adversary may fail in many cases to 
actually select the worst-case set. 


3. Strategies for the general case 


A straightforward simplification is to consider restricting 
the output to be a distribution in which the first and last 
routers are chosen independently and identically at random 
and then minimizing the probability that they are individually 
compromised. 

Let pn be a distribution on R. We consider the distribution 
p*j^ that minimizes the probability that an adversary chooses 
and successfully compromises a single router: 

c{pr) = max y^^PR{r)cr 
Pr = argmin c{pr) 

Pr 


The following theorem states that it is always optimal either 
to put all the probability on the most trusted router or to set 
the probabilities such that the values CiPn{ri) are equal for 
all Pi G R. 

Theorem 1: Let = min^ Cj. Let p\^ put all the probability 
on the most trusted router: 


Given arbitrary trust values G, . . . , we would like to find 
a polynomial-time algorithm that takes as input the trust values 
and outputs an optimal or near-optimal distribution p*. 


PR{r) 


1 if r = 

0 otherwise 


3.1. Exact algorithm 


There is a straightforward formulation of this problem as a 
linear program. Let the set of variables be p^j, i,j G R. The 
following constraints ensure that p is a probability distribution: 


0 < p,, < 1 


for all {r, s} G 



We want to find the distribution that satisfies the minimax 
criterion 


min max 


^ CrCsP{r,s). 

U.Ue(f) 


For any fixed K, the sum 

c{p, K)= ^ p(r, s)CrCs 

{A.}6(?) 


is linear in p. Therefore the minimax criterion minimizes the 
maximum of linear functions. We can thus transform it into 
a simple minimization problem by adding a slack variable t 
and some linear constraints. We force t to be greater than the 
maximum of our linear functions: 

t — c{p, K) >0 for all K G 

Then the objective function is simply minf. Unfortunately, 
this linear program is of exponential size (0(n^)) because of 
the constraints for each subset. 


Let p|j set probability inversely proportional to cp 


Pnin) = ala 

where a = {Y.i 

Then 

r(p* \ = I 

(PrJ I c(Pr) otherwise 

Proof: Suppose pn is an optimal distribution. Sort the 
routers so that ciPR{ri) > C 2 PR{r 2 ) > ■■ ■> CnPR{rn)- The 
set K that maximizes J2reK <^rPR{r) is then {ri, r 2 , . . . , r^}, 
and the value of pr is c{pr) = Yh=i CtPRiji). 

Let I be the largest index such that ciPr{ti) = CkPRir/,). 

If I < n, we could decrease aPRirf), k < i < I hy moving 
(-Ckjci probability from to This decreases a^i by CfcC 
and increases c;+iprj(r;+i) by eci+iCkla- For small enough 
e we maintain that if i < j then aPR{fi) > CjPR{rj), and 
therefore we reduce the value c{j>r). Therefore pR cannot be 
optimal, contradicting our assumption. 

Thus it must be that I = n. Let m be the smallest index such 
that CmPR{rm) = CkPR{rk). Assume that pR is an optimal 
distribution that has the smallest m possible. 

If m = 1, we are in the case that aPR{fi) = CjPRfrj) for 
^ f j < R- This is the distribution p|.. 

Suppose m > 1. If PR{rm) = 0, then c{pr) = 

aPR{i~i)- Let Cp = min^ a- Because all of the proba- 
bility is contained in a set that the adversary can completely 
select, we do not increase c{pr) by moving all the probability 



to r^: 


(r, r) G R X R. Let p be a distribution on R x R. Then let 


m— 1 

c{pr) = X! 

m— 1 
i=l 

= 

Cfj, is equal to c{p]^). 

Now consider the case that pR{rm) > 0. Recall that 
CiPRifi) = CjPR{rj) for all pairs ri,rj, in the set S = 
{ri,m < i < n}. Consider moving probability between Vm-i 
and S' in a way that maintains the equality of CiPR{ri) for 
ri G S. This can be achieved by setting the probability of 
1 to 

+ t 

and the probability of S S to 

For small enough values of t, this preserves the property that 
if z > j then Cip'j^{ri,t) < Cjp'j^{rj,t). Therefore c(p^) = 
^i=i c-iP'Rij^ii t)- The fact that is linear in t makes c{p'f/.) 
also linear in t for small enough values of t. 

If Dtc{p'j^)\t=o > 0. then for f < 0 large enough c(p'^) 
doesn’t increase. This corresponds to moving probability from 
r^_i to S, and the smallest t that maintains the ordering 
by c^p'p.(ri) results in Cm-ip'R(rm-i) = Cmp'j^(r„). This 
contradicts the assumption about the minimality of the index 


/ b if r = s 

P V > y p(j.^ _l_ otherwise 

where for all r G R, J2s^r ^rs = p(r, r). 

Lemma 2: c{p') < c{p) □ 

Now assume that Ci < C 2 < . . . < c„ and consider two 
distributions over (^): 

1 / X f 1 if r = Cl A s = C 2 
P = I 0 otherwise 

and 

P (r, s) = 

C-pCg 

where a = l/(crCs)^ . By Lemma 2 c(p^) < 

c{p\) and c(p2) < c{p\). 

Now let X„ = (ci, . . . , c„, A:) be a problem instance that, as 
n grows, satisfies 

1) Cl = 0(l/n). 

2) C 2 > c for some constant cG (0, 1). 

3) k = o(n) 

4) k = u;(l) 

For large enough n, X„ has an optimal value that is 
arbitrarily smaller than the values achieved by p^ and p^. Let 
c(X„,p) be the value of under distribution p. 

Theorem 3: 


m. 

If Dtc{p'j,)U=o < 0, then for f > 0 small enough c{p'fj) 
doesn’t increase. This corresponds to moving probability from 
S to Tm-i. In fact, no positive value of t increases c{p'p.). 
This is because setting f > 0 decreases the probability of all 
Ti, i > k, and only increases the probability of < k, 

and thus preserves the fact that c(p^) = ^i=iCip'f^{ri,t). 
Therefore we can increase t until Cip'j^{ri) = 0 for all € S. 
This puts us in the case where p'f^{rm) = 0, which we have 
already shown implies that c(p^) > c(p)j). 

Thus we have shown that either p)j or p|j. is an optimal 
distribution, c(p)j) = ci and c(p|j) = ka. Therefore, if ci < 
ka, c{p*fj) = c(p)j), and otherwise c(p}j) = c{pj^). □ 

We might hope that the product distributions p)^ x p\^ and 
p'r ^ P%. R X R cne good approximations to an optimal 
distribution p*. However, this is not the case, and we can find 
inputs such that c{p]^)/c{p*), i G {1,2}, is arbitrarily high. 
In fact, we can show this for slightly improved distributions 
p^ and p^ over (^). 

Notice that p|j. x p}j, i G {1,2}, puts positive probability 
on the user choosing the same router twice. The problem as 
formulated in Section 2 allows distributions only over distinct 
pairs in (^). This doesn’t affect the optimum, however. There 
is always an optimal distribution that puts zero probability on 


c(X„,pi)/c(X„,p*) = (1) 

c(X„,p2)/c(X„,p*) = fi(k) (2) 

Proof: The following distribution achieves the ratios in 
Eqs. 1 and 2. Let 


p^(r, s) 


-5^ if r = ri 

Cr-Cs ^ 

0 otherwise 


where a = l/(ciCi)) This distribution puts weight 

on all distinct pairs that include ri. It represents a middle 
approach between putting all the probability on the lightest 
pair, as p^ does, and spreading the probability over all pairs, 
as p^ does. The optimal distribution for each X„ only has 
higher ratios with p^ and p^ than p^ does. 

The ratio between p^ and p^ is 


c(T„,p^) 

c(T„,p3) 


_ (fC2 

(k- i)/(Er=2 i/(cici)) 

> (1 + C 2 (n - 2)/c„)/(fc - 1) 

^ “(!)■ 



The ratio between and is 

c{In,P^) _ (2) V(c*Cj)^ 

^(2^ " (A-l)/(Er=2l/(ciC.)) 

k ( E2<i<j<n V(CiCj ) \ 

= E’Ui/c. j 


(3) 

(4) 

(5) 

(6) 


In Eq. 5, EE 2 bounded by n because q > c, i > 1. 

The last line then follows because c\ = 0(l/n). □ 

Intuitively, the reason p^ does arbitrarily worse than p^ is 
that it doesn’t take advantage of an adversary of size o(n) by 
putting probability on Q.{n) pairs, while p^ does arbitrarily 
worse than p^ because it puts probability on pairs {ri,rj}, 
i,j > 1 , that have n(n) times higher probability of being 
successfully compromised than pairs including ri. 


4. When pairing off, trust is everything 

Allowing arbitrary trust values may be unnecessarily gen- 
eral. Users are unlikely to have precise knowledge of the 
probability of compromise for each onion router in the net- 
work. Instead, they seem more likely to have a few classes 
of trust into which they can partition the routers, or to have 
detailed knowledge about only a small number of routers. 
This fact may help us deal with the apparent computational 
intractability of the general problem. Also, the potentially 
complicated optima that result from arbitrary trust values may 
not satisfy other criteria for path-selection strategies that our 
problem formulation does not include. For example, we may 
want the number of possible optimal strategies to be small so 
users share their behavior with many others, or we may want 
the strategies to be robust to small changes in trust values. 

Therefore, we now consider the case that there are only two 
trust values. We refer to the nodes with higher trust as the 
trusted set, and nodes with lower trust as the untrusted set. 
This case is simple yet results in non-obvious conclusions, and 
also still provides practical advice to users. 

In Section 5 we show that, when there are only two trust 
values, there are three strategies that are potentially optimal. 
But first we give here a lemma that allows us to consider only 
distributions that treat the routers within a trust set identically. 
Note that this lemma holds for general trust values. 

Lemma 4: Let [/ be a set of routers with identical trust 
values c, where \U\ = m. Let V be the rest of the routers, 
where \V\ = n. Then the set of routers is R = U UV. There 
exists an optimal distribution p in which the following hold; 

1) For all {u, w}, {w, x} G (^), p{u, v) = p{w, x). 

2) For all v € V, u,w G U, p{v, u) = p{v, w). 

Proof: Consider some distribution over pairs p : (^) ^ 
[0,1], E{r s}g(”) Consider any subset S' C U. 

Let Xs be a subset chosen randomly from all subsets X of 


size k such that X fiV = S. Let j = fc — jSj be the size of 
Xs n U. Let c{p, K) be the probability of compromise under 
p, given that set K is chosen by the adversary. That is. 


c{p, K)= ^ p(r, s)CrCs 

We can calculate the expected probability of compromise 
of ATg as follows: 


E[c(p,^s)] 


= < 


= < 


-1 


E 


E p{t,u)c^+ 

{filled) 

p{u,v)c-c^+ 

ueT,veS 

E 


jCy Cri 


-1 


-1 


m — 2 
J-2 

m — 1 

i - 1 


E P(Cw)+ 

{t, 1 * 16 ( 2 ) 

’ E p{u,u)c^+ 

vGS,uGU 


p{v,w)CyC 

I {«.™}6(f) 
f j{j - l)c^ 


= < 


(7) 


( 8 ) 


(9) 


( It E p(cw)+ 

— E P{v,u)c^+ 

vGS,uGU 

p{v,w)CyC^ 

[ {f.™}6(f) 

There must be some set T C [/ of size j such that c{p, S U 
T) is at least the expectation expressed in Eq. 9. If we modify p 
to treat all nodes in U the same, and thus satisfy the conditions 
in the statement of the lemma, every such T achieves the value 
in Eq. 9. Let p' be this modified distribution; 


r E{t,„}6(^)P(C «)/(“) if{r,s}G(^) 

„'(r s'! = < ^neuPlr^ u)/m if rGV,sGU 

I Y.ueuPi^^'^)/'^ ifrGU,sGV 

[ p{r, s) if {r, s} G ( 2 ) 

The probability of compromise for any value S' U T of Xs 


c{p',SUT) = 


j\ m 
2 [ 2 


E P(t,u)c^+ 

{t,«}6(") 

EE p{v, u)CvC+ 

vGS uGU 

p{v,w)CyCni. 


J_ 

m 


( 10 ) 



Equations 9 and 10 are equal, and therefore 

ma,XT:\T\=j c{p' , S U T) < maxrp-,\T\=j c{p, S U T). Be- 
cause this holds for all S C V, ma,xx:\K\=k c{p' , K) < 

^a,XK-.\K\=kc{p,K). □ 


5. Choosing pairs to avoid compromise 

‘'Dear Abby, Dear Abby, Well I never thought, that me 
and my girlfriend would ever get caught.” 

John Prine — Lyrics to “Dear Abby” 


Now we analyze optimal distributions for selecting pairs 
when there are two trust values in the network, ci and C 2 , 
with Cl < C 2 - We show that, in this case, one of the following 
strategies is always optimal: (i) choose a pair of trusted routers 
uniformly at random, (//) choose pairs such that p{r,s)CrCs is 
equal for all {r, s} € (^), or (Hi) choose only fully-trusted or 
fully-untrusted pairs such that the adversary has no advantage 
in attacking either trusted or untrusted routers. Distribution 
(/), corresponds to distribution p^, described in Section 3.2, 
with the difference that (/) spreads probability to all the most- 
trusted routers and not just two. Distribution (ii) corresponds 
to distribution p^ of Section 3.2. Distribution (Hi) shows that 
non-obvious distributions can exist even when the trust values 
are very restricted. 

Let U be the trusted set, with trust value ci, \U\ = m. Let 
V be the untrusted set, with trust value C 2 , \V\ = n. 

Theorem 5: Let vg = max(k — m,0) and vi = max(k — 
n, 0). Then let qq = and pi = . One of the 

following is an optimal distribution: 


p{r,s) 


(£ 2 )! 

(™)(c2)^-l-(m™)(ciC2) + (2)(ci)2 

if {r,s} G Q 

(C1C2) 

< (™)(c2)^-l-(mn)(ciC2) + (2)(ci)2 

if (r, s) G [/ X 1/ U X {7 
iglf 

(™)(c2)^-l-(m™)(ciC2) + (2)(ci)2 

if {as} 6(2) 


p{r,s) 


(™)-^ if{r,4e(^) 

0 otherwise 


(11) 


( 12 ) 


p(r, s) 


fm\ 1 C 2 (l — go) 

(2) cf(l-gi)-rc|(l-go) 

if {r,s| G Q 

tnt -1 cj(l-gi) 

< V2/ c2(l-gi)+c|(l-go) 

if {r,s} G Q 

0 

if (r, s) G [/ X y U X [/ 


(13) 


Proof: Let p be some distribution on By Lemma 4, 
we can assume that p{t,u) = p{x,y), if t,u,x,y G U. 
Similarly, p{v,w) = p{x,y), if v,w,x,y G V. Again using 


Lemma 4, p{u,v) = p{u,y) = p{x,y), if u, a; G U and 
v,y G V. This shows that all pairs intersecting both U and V 
have equal probability. 

If k >= n + m, the adversary can try to compromise all 
routers. Thus the best strategy is to only choose pairs from the 
trusted set U, as described in Eq. 12. Lrom now on, assume 
that k < n + m. 

Let Kj C i? be of size k and have an intersection with 
U of size j. The value of j alone determines the probability 
of compromise for Kj, because it determines the number of 
pairs in (^), U x V, and (^). As we have just shown, the 
exact pairs included do not matter because their probability is 
determined by their class. Let pi = “ 

E(„.„)et/xyP(u,u), and Ps = E{„,»}g(^) Then we 

can say that 


c{p,Kj) = 


(14) 


To narrow the set of possible optimal assignments of pi, 
P 2 , and p 3 , we will first consider the effect of varying p 2 - 
The quantity we want to minimize is the maximum value of 
Eq. 14. Equation 14 is a quadratic function of j. Assume that 
the second derivative is non-zero. If it is zero it is easy to show 
that the distribution p is the distribution described in Eq. 1 1 . 
Otherwise, we will show that we can improve the maximum 
by changing p 2 - We can find the local extremum by taking the 
derivative of Eq. 14 and setting it to zero. Solving for j gives 


n(n — l)pic1 — k(m — l)(n — l)p 2 CiC 2 + 
(2k — l)m(m — l)p 3 c| 

2(n(n — l)picf — (m — l)(n — l)p 2 CiC 2 + 
m(m — l)p 3 c|) 


Unfortunately, j* must be integral to represent a worst-case 
subset, and therefore we cannot just substitute the expression 
in Eq. 15 into Eq. 14 and solve for the optimal value of 
P 2 - There may in fact be two values of j that are maxima, 
and varying p 2 could possibly increase the value at one while 
decreasing the value at other. Therefore, while varying p 2 , we 
simultaneously vary pi and p^ to maintain the local extremum 
of Eq. 14 at j* . Then both possible maxima are changed in 
the same way. 

By observing that ps = 1 — Pi — P 2 in Eq- 15 we can see 
that Pi and p 2 are linearly related. Solve this for pi and call 
the expression pf Now let j' G N, 0 < j' < k, be any value 
that maximizes c(p, Kj/). f is either an endpoint of [0, k] or 
a closest integer to a local maximum. Substitute p[ for pi in 
c(p, Kjf), and the result is a linear function of p 2 - Therefore 
either increasing or decreasing p 2 does not increase c(p, Kji). 
Suppose we move p 2 in the direction that decreases c(p, Kji). 
Because we vary p[ (and p^) with p 2 in such a way as to 
maintain the extremum of the parabola at the same value j*, 
j' is maintained as a maximum of c(p,Kj) as long as the 
second derivative of c(p, Kj / ) remains non-zero. 



The process of changing p 2 stops when (/) the second 
derivative of c{p, Kji ) becomes zero, (ii) p 2 reaches zero, (Hi) 
P3 reaches zero, or (iv) p\ reaches zero. 

Case (i): In this case, all sets have the same value. This is 
only satisfied when the distribution is that of Eq. 1 1 . 

Case (ii): In this case, all probability is in pairs of two 
trusted or two untrusted nodes. Therefore the maximizing 
value of j must be when it is as small as possible or as large 
as possible, i.e., at max(0, k — n) or max(fc, m). If the former 
case is strictly larger, we can reduce it by decreasing p^ and 
increasing pi. If the latter case is strictly larger, we can do 
the reverse. Therefore the value in these two cases must be 
equal. To find the probabilities pi and p^ that satisfy this, let 
P3 = 1 — pi, vq = max(/c — m, 0), and vi = max(fc — n, 0). 
Then setting them equal and solving for pi yields the condition 


Pi = 




f 1 _ «o(t'o-l) A 
V "("-1) ) 


vi(vi-l) 
m(m — 1) 


+ a 


( 1 _ 

V "("-1) ) 


(16) 


Equation 16 then gives us the probability for each pair in 
and (^), and this is the same as the distribution in Eq. 13. 

Case (Hi): In this case, ps = 0. Then if p2 = 0 also, we put 
all probability in the trusted nodes, which is the distribution 
described in Eq. 12. 

Now suppose that p 2 > 0. We will consider moving 
probability between pi, p 2 , and p^ to show that this case isn’t 
possible. Let p 2 = 1 — pi in Eq. 14 and call this c^(p,Kj). 
Then use this to consider trading off pi and p 2 to find the 
optimal assignment. As p\ varies, the change in the value of 


the set Kj is 


Dp^C3(p,Kj) = — 


(i - l)ci _ (fc - j)c 2 

m — 1 n 


(17) 


Next, let p2 = 1 — Pi — P3 in Eq- 14 and call this C4(p, Kj). 
Moving p2 to p3 results in a change of 


Dp3 C4 (p , Kj ) — 


{k - j)c2 


'{k- j - 1)C2 
n — 1 


JCl 

m 


(18) 


Let j* G argmaXj c(p, Kj) be the largest integer that is a 
maximum of c(p, Kj). 

We observe that D‘jc(p,Kj) < 0. If not, we would have 
j* = k. Then Eq. 17 shows that decreasing pi would decrease 
the value at j*, and pi is non-zero so we could do this because, 
at Pi = 0, c(p,Kj) is largest at j* = \k/2] ^ k. Such a 
decrease would contradict the optimality of j*. 

Now, because D‘jc(p,Kj) < 0, there may be some j G 
aigmaXjc(p, Kj) such that j < j* . There are four cases 
to consider here; (1) Dp^cs(p, Kj*), Dp^C 3 (p,K~.) < 0, (2) 
Dp^C3(p,Kj*), Dp^C3(p,Kj) > 0, (3) Dp^C3(p,Kj*) > 0 
and Dp^C 3 (p,K~-) < 0, and (4) Dp^C 3 (p, Kj*) < 0 and 

Dp^C3(p,K~.) > 0. 

In case (1), we could decrease c at j* and j by moving 
probability from p2 to pi . This would contradict the optimality 
of p. 


Eor case (2), we use the fact that 

0 < a < 6 ^ J — ^ (19) 

0—1 0 


Inequality 19 implies that if Dp^C 3 (p,Kj) > 0, then 

Dp^Ci(p,Kj) < 0. Therefore we could decrease c at j* and 
j by moving probability from p2 to p3, contradicting the 
optimality of p. 

Eor case (3), we show that we can still decrease both j* 
and j while maintaining their equality, and hence maximality, 
by moving some probability from p2 to pi and p3. Moving 
probability from p2 to pi increases the value at j* and 
decreases the value at j. This implies, by Inequality 19, that 
moving probability from p2 to p3 decreases the value at j*. 
Eurthermore, can assume that it increases it at j because oth- 
erwise we could decrease both j* and j by moving probability 
directly from p2 to p3. 

Eor j* and j to be integral maxima of Eq. 14, it must be 
that j* — 1 = j. Also, solving Dp^C 3 = Dp^Ci for j, we 
find that at this point, Dp^C 3 < 0 and Dp^Ci < 0. Therefore, 
j* is at most one more than this point. We can observe by 
calculation that within this range the ratio \Dp^C 3 /Dp^C 4 \ is 
less than one. Similarly, j is at most one less than this point, 
and within this range the ratio {Dp^cs/ Dp^C 4 \ is greater than 
one. 

This shows that we can move probability from p2 to pi and 
P3 at rates that decrease the value at both j* and j. Because 
they were maximum, we have lowered the value of the worst- 
case subset Kj*, contradicting the optimality of p. 

Case (4) is not possible because Dj[Dp.^C 2 ] > 0 and 
Dp^C3(p,Ko) = 0. 

Case (iv): In this case, if p2 > 0, the case is symmetric to 
the case of pi,p2 > 0 and we can apply the same argument. 
Therefore assume that p2 = 0, which implies that ps = 1. It 
must be that m < n because otherwise we could set pi = 1 
and P3 = 0 and improve the worst case. But now consider 
moving some probability from p3 to pi . Let pi = 1 — p3 in 
Eq. 14 and call this C3. The change in the worst-case case 
subset, Kn, is 


Kp^C3(p, Kn) — C 2 


(k — n)(k — n — l)cl 
m(m — 1) 


This must be greater than zero because C2 > ci and k—n < m. 
Therefore decreasing p3 decreases c(p, 7f„), contradicting the 
optimality of p. □ 


6. Choosing a distribution 

We have shown that there are three possibilities for an 
optimal strategy in choosing nodes that will minimize the 
best chances a fixed size adversary has to compromise both 
endpoints of an onion-routing circuit when a trusted set is 
available. To choose a distribution, a user can simply calculate 
the probability of compromise in each case and use the 
distribution with the smallest result. The optimal distribution 
depends on all the variables in the system: the trust values. 



the size of the trusted set, the size of the untmsted set, and 
the size of the adversary. 

In the first distribution, described in Eq. 11, the user chooses 
pairs {i,j} to make p{i,j)ciCj equal for all i,j. This is a 
random choice of pairs weighted by the trust in the pair. The 
probability of compromise under this strategy is 


Cl = 


k{k — l)c^C 2 

m{m — l)c| + 2 mnciC 2 + n{n — l)cf 


( 20 ) 


This strategy is optimal when the network is large compared 
to the adversary, and so it benefits the user to spread out 
his distribution, even to less-trusted routers. It is also optimal 
when the trust values are close. 

In the second distribution, described in Eq 12, the user 
randomly selects pairs from within the trusted set. This can 
only be optimal if the size k of the adversary is larger than the 
size m of the trusted set. Otherwise, the user could decrease 
the probability of compromise by putting some of the pair- 
selection distribution on pairs outside the trusted set. Doing so 
would not change the adversary’s worst-case subset, which is 
entirely in the trusted set, but it would decrease the probability 
that those nodes are chose by the user. The probability of 
compromise, assuming fc > m, is simply 


C2 = C 


2 

1 - 


( 21 ) 


We can compare this to Eq. 20 and observe that c\ can always 
be made small enough to make this value less than the value 
of the first strategy. These equations also show that choosing 
only trusted nodes will be optimal when k is large relative to 
the network. When k = m + n, this case is always optimal. 

The third distribution, given in Eq. 13, is perhaps the 
least obvious one, and arises as a result of the fact that 
users choose their distribution over pairs, while the adversary 
attacks individual routers. Let vq = max(fc — m, 0) and 
vi = max(/c — n, 0). Then let go = vo{vq — l)/(n(n — 1)) 
and gi = vi{vi — l)/(m(m — 1)). In general, the probability 
of compromise under this distribution is 


Co 


^1^2(t So) I 

c?(l-gi)-l-c|(l- 3 o) 

«o(«o-l)ciC^(l-gi) 
ra(n-l)(cf (l-gi)-|-c|(l-go)) 

i>i(tii-l)c^C2(l-go) 

m{m-l){cf{l-gi)+cl(l-go)) 
Cicj(l-gi) 
cf (l-gi)-l-c|(l-go) 


( 22 ) 


(23) 


To make some sense of this, it is helpful to consider some 
special cases. When n > k,m < k, the probability of 
compromise is 

^ k{k- 1)44 
^ n{n - l){cl + 4{1 - go)) 

We can see that there is some large m such that C 3 is less 
than C 2 and Ci. What happens in this case is that there are 
large number of routers, and the user wants to spread his 
probability among them. However, because k > n, spreading 
the probability to all cross-pairs (one trusted and one untmsted 


router) means that an adversary selecting as many untmsted 
routers as possible gains (fc — n)n/{mn) = {k — n)/m of the 
probability on such pairs. On the other hand, when spreading 
to trusted pairs (fc — n)(fc — n — 1 )/ (m(m — 1 )) of the shifted 
probability is captured by the adversary. The latter shrinks 
quadratically with m while the former shrinks only linearly. At 
some point it will be beneficial to spread probability to trusted 
pairs but not to cross-pairs. The case when m > fc,n < fc is 
similar. This distribution is never optimal when m > k and 
n > k, because the worst-case sets are contained within U and 
V, and so spreading probability to the cross-pairs some small 
amount will always decrease the probability of compromise. 

7. Conclusion and future work 

We have set out a simple model for reasoning about using 
tmst for routing in onion-routing anonymity networks. This 
model modifies the traditional roving adversary by adding 
tmst; so the success of the adversary in attacking nodes he 
chooses becomes probabilistic rather than certain. Tmst is thus 
defined as the probability that the adversary fails in attempting 
to compromise a node. We used this model to look at end-to- 
end correlation attacks by nodes in onion-routing networks. 
We expect this model to be useful for future research by 
ourselves and others. 

We used our model to show optimal strategies for choosing 
routes when trust information is available. The strategies are 
optimal in that they minimize the maximum probability a 
correlating adversary has for linking source to destination. 

In the general case, where there is an arbitrary number of 
trust levels, we presented an algorithm to calculate an optimal 
distribution, an algorithm which runs in time exponential in 
the size of the adversary. We described a natural simplification 
and approximation of this, which permitted the calculation of 
optimal strategies on selection of individual nodes, but we 
also showed that the approximation based on this is arbitrarily 
worse than optimal distributions on pairs of nodes. 

We then turned to consider a practical approach by limiting 
ourselves to two trust levels. In addition to being computation- 
ally tractable, users of deployed networks are more likely to 
be capable in practice of dividing routers into these levels. We 
described three distributions for this case and proved that one 
of them must be optimal. Lastly, we discussed determining in 
practice when one of the three distributions is optimal based 
on the values of the system variables: trust values, size of the 
trusted and untmsted sets, and the size of the adversary. 

The results we have produced are more complicated than we 
expected, both to describe and to prove. It will be interesting to 
examine larger questions of trust in future work: What happens 
when a network is shared between entities that do not share 
trust levels placed on the nodes? What is the impact of trust 
on profiling in this case? What is the effect of learning if we 
add time to the model and allow the adversary to rove rather 
than conducting a one-off attack? 

Though our motivation is onion routing, our analysis applies 
to any network where it would be beneficial to reduce the 



chance of circuit-endpoint threats by choosing circuits with 
less vulnerable endpoints. It clearly generalizes to other low- 
latency anonymity designs, such as Crowds [27]. It also 
applies beyond networks for anonymity to other concerns. 
For example, network endpoints may be able to collaborate 
to cover up checksum or other errors that might flag data- 
integrity attacks. And, capturing internet traffic for any kind of 
analysis (cryptanalysis, textual analysis, traffic analysis, etc.) 
may be easier to do or harder to detect or both if pairs of nodes 
are collaborating for route capture. Alternatively they might 
collaborate for unfair resource sharing. Similar observations 
apply to ad-hoc and peer-to-peer networks and to sensor 
networks, for which vulnerability of cheap, low-power, and 
physically accessible nodes is a known concern. Going further, 
our results are not restricted in applicability to path endpoints. 
In any setting in which sets of principals can collaborate 
so that a successfully compromised pair can conduct an 
attack our results are potentially applicable. Examining larger 
numbers of nodes being attacked than just pairs is one possible 
generalization of this work that should apply in many settings. 
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